If you have experienced or are experiencing the Nefilim ransomware, you are not alone. Other people have lamented about it as well.

We have compiled this article to explain to you what the Nefilim ransomware is, what it does, how to remove it, and how to get rid of it for good.

About the Nefilim Ransomware?

Nefilim is a new ransomware that surfaced and began spreading on the internet towards the end of February 2020, as reported by Bleeping Computer. Bleeping Computer’s report suggests that the Nefilim ransomware code has signatures indicating it is an upgraded version of Nemty 2.5.

Although the two share similarities in their code, they have a key difference in their operation.

Nefilim communicates with the victims for emails via payments via email instead of Tor payment sites. It has abolished the important Ransomware-as-a-Service (RaaS) component – both of which were specific features of Nemty. There is no indication yet that the same threat actors in Nemty are behind Nefilim.

What does the Nefilim ransomware do?

To answer this question, all you need to know is the modus operandi of the Nefilim ransomware.

Nefilim ransomware operates by infecting systems and encrypting files to demand payment for decryption. But it has its particular way of operation:

It is not yet known for sure how Nefilim is being distributed, but security researchers now say it is most likely distributed through exposed Remote Desktop Services.

Upon being launched, the Nefilim ransomware uses a combination of two algorithms – AES-128 and RSA-2048 – to encrypt the victim’s files.

First, the AES-128 algorithm encrypts the victim’s files.

This AES encryption key is then encrypted by an RSA-2048 public key, which is embedded in the executable file of the ransomware.

The encrypted AES key is then added to the contents of each encrypted file. This can only be decrypted by the RSA private key known only to the ransomware operators or developers.

Nefilim then marks all the encrypted files with a string (extension) that appears as ‘.NEFILIM.’

The encrypted files will then have the file extension name – ‘.NEFILIM’ – appended to their file names. For example, a file called state.doc is encrypted and renamed todoc.NEFILIM.

On top of the encrypted AES key, the Nefilim ransomware also adds a file marker string in the form of “NEFILIM” to all the encrypted files.

After successfully encrypting the targeted files, Nefilim then plants a ransom note – ‘NEFILIM-DECRYPT.txt’ – to instruct the victim on how to decrypt and recover the files.

The Nefilim ransomware appears to be more sophisticated than others before it. In the Nefilim ransom note, the operators put different contact emails on how to contact them for payments, and they also threaten to release the victim’s data if they don’t pay the ransom within seven days of the attack.

Should you pay the ransom?

There is no right or clear-cut answer to this dilemma.

You may pay the ransom and obtain the key to decrypt your files. But there is no guarantee the Nefilim operators will give you the key. Judging from the previous history, such crooks have failed to deliver the required decryption tool or software.

As a result, it is simply advised to avoid contact with ransomware operators.

What should a victim do?

The first thing a Nefilim ransomware victim needs to do is to remove the ransomware from the PC system immediately. The longer the ransomware stays inside, the more data it compromises. Secondly, you can restore your data once the threat is successfully removed.

How to Remove the Nefilim ransomware?

Removing the Nefilim ransomware from your computer system is the only safe and reliable way to solve the problem. You can do this in two ways:

Use an automated removal tool or software, such as a third-party software for a ransomware removal tool.

Use the manual method, which can be a bit complex as it requires experience in using computers and may require you to seek a specialist’s help.

How to Get Rid of the Nefilim Ransomware

You will need to get rid of the Nefilim ransomware and all related files forever.

Before proceeding to remove it, you need to reboot the computer system in Safe Mode with Networking:

For Windows XP/Vista/7 users:

Restart your computer.

Before your PC starts, hit F8 several times (This will prevent the system from loading and direct you to Advanced boot options screen.)

On the advanced boot screen, choose the ‘Safe mode with networking option.’

For Windows 8 &10 users:

After the final restarts, press F5 to Enable Safe Mode with Networking (then follow onscreen instructions.)

Conclusion

That’s it!

We understand how frustrating the Nefilim ransomware can be. But we believe that you now understand it and how to get rid of it. If you have any other issues with ransomware attacks, alert us through the comments section.